A problem exists today affecting countless of unsuspecting users, and that's the problem of ZIP files that contain malicious JavaScript code that can if clicked will download and launch malware into execution on their PCs.
On Windows, if the user has not registered these types of files to open automatically in a code editor, these files would run via the Windows Script Host (WSH).
This is an automation technology for Microsoft Windows operating systems, similar to batch files, but one that can work with JavaScript and JScript (Microsoft's version of JavaScript) code.
With such powerful features, you sometimes wonder how come it took malware coders so much time to figure out they could abuse this ability to do bad. But they have now, and it's not rosy.
ZIP files boobytrapped with JavaScript abused to spread malware
We've seen ransomware, banking trojans, and all sorts of nasty malware distributed via this method. Attackers craft a malicious JavaScript file, pack it into a ZIP file, append it to an email, and spam hundreds and thousands of users in short-burst campaigns.
When users receive the email, they download the file and unzip it. Inside they find the JavaScript file, which is a curious payload to find inside a ZIP file. Users see it's not an executable, so they rule out being infested with malware out of the get-go.
If they make the mistake of double-clicking it, without realizing, the damage has already been done, with the JavaScript file silently executing in the background, and the malware taking root.
But there's a way to prevent this, according to F-Secure, a Finish cyber-security vendor, who's how-to tutorial we're reproducing down below.
To prevent automatic execution of a malicious JavaScript file you'll have to edit the Windows Registry and disable the automatic connection between the JavaScript/JScript code and the Windows Script Host mentioned above.
Let's disable automatic JavaScript execution via Windows Script Host
Step 1: Open the Windows Search and type in "Regedit" to open the Windows Registry Editor.
Step 2: On the left you have some folders. Open the folders in the following order (path): "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings"
Step 3: Once you've reached the last folder called "Settings," go to the panel on the right and right-click anywhere on the background.
Step 4: From the new popup menu, select the "New" and then the "DWORD (32 Bit) Value".
Step 5: This will create a new entry, which you'll have to name "Enabled". Once you've done this, double-click it to open a new popup.
Step 6 (optional): In this popup, make sure that you have "0" (zero) entered in the Value field, and that the Base setting is set to Hexadecimal.
Testing that everything works
That's it. Close all the Windows and go for a test. To verify that the Windows Script Host won't open any JavaScript files, first, you'll need some JavaScript files.
The easiest way is to download this file right here, which is the jQuery Javascript library. Press CTRL+S to save it from your browser to your computer, and then double-click the file.
If you've set up your Windows Registry correctly, the following popup will appear, telling you the Windows Script Host has been disabled.